> On 30 May 2016, at 15:22, Fabrice Bacchella <fabrice.bacche...@icloud.com> > wrote: > >> >> Le 30 mai 2016 à 15:01, Michal Skrivanek <michal.skriva...@redhat.com> a >> écrit : >> >> >>> On 30 May 2016, at 14:57, Fabrice Bacchella <fabrice.bacche...@orange.fr> >>> wrote: >>> >>>> >>>> Running with selinux disabled is not recommended nor supported. >>>> It should be easy to skip over that problem, but in general this is not >>>> something you should hit in normal environment >>> >>> That's very theorical recommandation. selinux is very very often disabled, >>> because nobody really understand it. >> >> It is not theoretical, it’s mandatory. there is an assumption it is enabled, >> after bare OS installation it is enabled, so when you disable it it is an >> explicit decision done by the admin for some reason. What did you find not >> working? Did you really encounter anything not being solved by setting >> Permissive mode instead disabling completely? >> > > What's the purpose of permissive ? if everything is allowed, what selinux is > good for ? Instead of having something that run doing nothing, I shutdown it, > and selinux is part of that generic policy.
there is a difference between “no support for selinux” and “allowing everything”. Functionally it is different as e.g. labelling is not getting done when selinux is disabled, that’s why typically when you disable selinux, and install/change something those files do not have set up the context properly and when you enable selinux again things break completely (this bug is a different case) > > What is a bad practice is switching selinux on and off. So my installation > setup is done with selinux down and stay so for the whole server life of the > server. > > I never met a product that requisite selinux. I’m not going to start a flamewar on selinux, there are plenty of those out there:) But oVirt is built with security in mind on a RHEL-based distro, so it uses SELinux. All I can say is that disabling SELinux is discouraged for security as well as functionality reasons. > > And more, I just have a look at your administration guide > (http://www.ovirt.org/documentation/admin-guide/administration-guide/) and > quickstart guide > (http://www.ovirt.org/documentation/quickstart/quickstart-guide/). selinux is > never declared as mandatory. There is just a few tips about the problem that > one can have with selinux. yes, most things tend to work…until they don’t. You’ve just encountered the situation when it doesn’t work. It shall be fixed, but it is not at the moment. Thanks, michal _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
